Dan Fandrich wrote:
> Is CCC standardized anywhere? I would hope that the shutdown mode would be
> specified in such a standard, since there's no way to tell ahead of time which
> mode to use. Is this really a defect in OpenSSL's shutdown handling?

CCC is standardized in RFC4217. However, RFC4217 does not specify how
the shutdown is supposed to be made, specifically it does not specify
which party that should initiate the shutdown.

The SSL shutdown protocol specifies in detail how the shutdown handshake
is supposed to work, but it doesn't cover the situation when the two
parties decide to shutdown at the same time, which results in a race and
a deadlock, because one of the two will indefinitely wait for a reply
from the other (with a timeout of course).

The problem is that virtually no software on this planet shuts down the
SSL layer properly, since in 99% of the cases, the socket layer will be
shut down as well. Therefore the handshake is skipped, and the socket
layer is torn down without the complete SSL shutdown handshake. This is
mostly to save time, and I guess also laziness from the coders.

Linus
Received on 2007-02-21